Students learn the necessary concepts and skills for responding effectively to cyber security incidents. The goal is to provide participants with the equivalent skills and experience one would obtain working a full month on a professional Incident Response team dealing with an Advanced Persistent Threat intrusion. Students are trained on the three core pillars of incident response: Host Forensics, Network Archaeology, and Malware Analysis. Students are also given the opportunity to learn about Incident Coordination and Operational Technology.

In addition to classroom training and lectures, students spend most of their time working on a small team project investigating real data from a historical incident. At the conclusion of the program, students present their findings to senior management in standard incident reporting format.

This worldwide compromise was discovered in December 2020, and was the largest cybersecurity incident to date. Involving thousands of businesses and governments across the planet, UNC2452 was ultimately revealed to be a new kind of cybersecurity attack, one for which there was no easy solution.

DOE's Cyber Fire program was at the forefront of the response to this attack, using Network Archaeology techniques to reverse-engineer the SUNBURST DGA and create a custom in-house decoder used by analysts across the complex.

This year's summer school will spend a full week (10% of the program) investigating and recreating a custom decoder for the SUNBURST DGA, using techniques taught in the Network Archaeology class.

This year, the Incident Investigation Track will run at multiple National Laboratories! Livermore National Laboratory will host two students that will work alongside six Los Alamos National Laboratory summer students. All students will take classes and work on projects together, but each site will present a focus on local site culture and activities.